Hacking reached a new peak in 2017, as the Equifax breach sent massive shock waves through the business and consumer worlds. As IT pros know all too well, hackers will only become more sophisticated and advanced in their techniques from here on out.
According to Cybersecurity Ventures, the costs associated with cyber attacks are projected to clock in at $6 trillion per year by 2021. IoT security is going to become a lot more challenging, too. With that in mind, here are some of the trickiest exploits to keep on your radar in the new year, along with tips on how to prevent your colleagues from falling prey to them.
Watch out for The Netflix phishing exploit
Hackers have found crafty ways to get their phishing exploits into your inbox. One example is the notorious Netflix phishing email, which hit users hard in 2017. On the surface, it ticks off all the usual boxes you’d expect to see in a phishing email: an urgent-sounding warning that your Netflix account has been suspended, links to seamlessly branded websites that ask you to provide as much personal data as possible to regain access, and a dodgy email address in the sender field.
Scratch the surface and you’ll find this attack is more wily than it appears. Some versions of the Netflix email encrypt user-side HTML in the landing pages, preventing scanners from determining whether any of the code inside is malicious. These pages are also coded to prevent IPs associated with internet security groups from loading, thus skirting the danger of landing on a blacklist. What’s more, they use compromised WordPress accounts to host many of these pages, temporarily coasting on their good online reputation scores to slip under the radar while they inflict their damage.
Those robust cybersecurity tools you typically rely on may need some time to catch up to this new breed of phishing attack. While they’re doing that, Dave from marketing might just click on that Netflix phishing link in a fit of anxiety over not being able to binge The Crown, and he’s about to get a lot more than he bargained for.
Keep hackers from creeping into your email convos
Nothing’s sacred anymore. Hackers are sneaking into your email chains and inserting clever, socially engineered replies that contain harmful attachments. Using previously compromised email accounts, hackers reply to active email threads with simple messages, such as, “Please see attached and confirm,” including a Microsoft Word attachment with malicious macros. After a user clicks on the attachment and grants permission to run macros, the Trojan horse lies in wait until Word is closed and then does its dirty work behind the scenes, silently executing the macros and downloading a malicious payload. From there, it may steal credentials, help itself to cryptocurrency, or log into financial sites.
Bad actors have used this technique to propagate Ursnif, the banking Trojan horse. It’s pretty diabolical, taking advantage of the trust today’s busy office professionals have in their digital communications with colleagues so it can deliver a sneak attack they would rarely see coming. As with the Netflix exploit, this hack has escaped detection from many cybersecurity tools so far. And once it’s duped one of your colleagues, it has a good chance of tricking others at your company, too.
Defend against IoT ransomware attacks
While you’re worrying about these devious new phishing attacks, make sure you also dedicate some time to the major concern that is IoT security in 2018. Internet-connected consumer devices are coming online at an astonishing rate. According to Gartner, we saw 8.4 billion connected devices in 2017 and can expect a whopping 20.4 billion to be in place by 2020.
Connected devices can become a form of shadow IT, as office professionals blithely plug them into corporate networks without informing IT. They can also be officially sanctioned, arriving in the form of shiny new projectors, whiteboards, and security cameras that IT is charged with supporting and protecting. Just as hackers are already targeting environments with lax print security, industry observers warn they may soon turn their sights on IoT devices to stage similarly crippling attacks on businesses.
Protect your business from ruthless exploits
How can you keep your colleagues safe from this next generation of attacks? Here are some tips for what they should watch out for while you work hard behind the scenes to tighten up your cybersecurity defenses across the business:
- When reviewing an email, check the sender’s address to make sure it looks legitimate.
- Check any links you find and make sure they point to the correct source.
- If you’ve received an email that seems off somehow, be wary before opening any attachments. If you do click on a dodgy attachment and it asks you to enable macros, deny it permission.
- If you’re not sure a message you’ve gotten is legit, directly contact the person or business referenced in the message—using a phone number or other method from legitimate correspondence you’ve gotten in the past—to confirm the message is real.
- Don’t use the same password on different sites. That makes it much easier for hackers to gain unauthorized access. Instead, use a password manager and update your passwords on a regular basis.
- If you’re thinking of connecting an IoT or other device to the company network, whether wired or wireless, check with IT to make sure its security is up to par.
The new year may prove challenging when it comes to cybersecurity, but IT pros can get ahead of the game by keeping tabs on emerging threats, doubling down on securing their environments, and giving their colleagues regular, up-to-date cybersecurity awareness training. That way, hackers will have a much harder time causing mischief—as they should.